diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-11-09 18:26:53 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-11-09 18:32:25 +0100 |
commit | 2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf (patch) | |
tree | 15febc6d1eb03041d77c50c6fdfb74e385800979 /src/nspawn | |
parent | 0cc3c9f997d0ea39f0309e74117a033635b2291f (diff) | |
download | systemd-2d09ea44fcd7c13658bf2e706b4ecd6aba35bfbf.tar.gz |
nspawn: only copy syscall filters from settings if actually configured
As in the previous commit, let's not copy settings that aren#t
configured, so that --settings=override with an empty .nspawn file is
truly a NOP.
Diffstat (limited to 'src/nspawn')
-rw-r--r-- | src/nspawn/nspawn.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 3209b50417..9adc166aa9 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -4462,19 +4462,23 @@ static int merge_settings(Settings *settings, const char *path) { if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) { - if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) - log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); - else { - strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); - strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) { + if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) + log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); + else { + strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); + strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + } } #if HAVE_SECCOMP - if (!arg_settings_trusted && settings->seccomp) - log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); - else { - seccomp_release(arg_seccomp); - arg_seccomp = TAKE_PTR(settings->seccomp); + if (settings->seccomp) { + if (!arg_settings_trusted) + log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); + else { + seccomp_release(arg_seccomp); + arg_seccomp = TAKE_PTR(settings->seccomp); + } } #endif } |